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What are the research provisions? 


At a glance: 


e The UK GDPR and the DPA 2018 contain a number of provisions for 
processing personal data for research purposes. 
e These provisions make reference to three types of research related 
purposes for processing: 
o archiving purposes in the public interest; 
o scientific or historical research purposes; and 
o Statistical purposes. 


e The research provisions are not set out in one location in the UK GDPR 


or the DPA 2018. Instead, they are contained in a number of articles 
and paragraphs in both pieces of legislation. 
e These provisions cover three broad areas of data protection: 
o the data protection principles; 
o a condition for processing special category data and criminal 
offence data; and 
o exemptions from data subjects’ rights. 


In detail: 


The UK GDPR and the DPA 2018 contain a number of provisions for 
processing personal data for research purposes. 


These provisions recognise the importance to society of scientific and 
historical research and technological development. They ensure that data 
protection requirements enable technological innovation and facilitate the 
advancement of knowledge. 


The provisions make reference to three broad types of research related 
purposes for processing personal data: 


e archiving purposes in the public interest; 
e scientific or historical research purposes; and 
e statistical purposes. 


In this guidance we refer to these collectively as “research” or “research 
related purposes”, although this is not a term that appears in the UK GDPR 


or the DPA 2018. Where the provisions differ depending on the specific type 


of research related purpose, we will refer directly to that purpose. 


The provisions for research are not set out in any one location in the UK 
GDPR or the DPA 2018. Instead, there are a number of articles and 
paragraphs in both pieces of legislation covering research. 
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These provisions cover three broad areas of data protection: 


e the data protection principles; 
e acondition for processing special category data and criminal offence 


data; and 


e exemptions from data subjects’ rights. 


In order to make use of these provisions, you need to have appropriate 
safeguards in place for the rights and freedoms of data subjects. 


The table below sets out where the research provisions and requirements 
about safeguards can be found in the UK GDPR and the DPA 2018. 


Area of data 
protection law 
affected 


Principles 


Conditions for 
processing 


Exemptions 


Purpose limitation 


Storage limitation 


Condition for processing 
special category data 


Condition for processing 
criminal offence data 


Right to be informed when 
data collected from source 


other than the individual 


Location of research 
provision 


Article 5(b) of UK 
GDPR: provision for 
research built into the 
principle 


Article 5(e) of UK 
GDPR: provision for 
research built into the 
principle 


Article 9(2)(j) of UK 
GDPR; read with 


Schedule 1 Paragraph 4 
of the DPA 2018 


Schedule 1 Paragraph 4 
of DPA 2018 


Article 14(5)(b) of UK 
GDPR: exception for 
research built into the 
right 


Right of access 


Right to rectification 


Schedule 2 Paragraphs 
27 and 28 of DPA 2018: 
exemptions for research 
and statistics, and 
archiving 


Schedule 2 Paragraphs 
27 and 28 of DPA 2018: 
exemptions for research 
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and statistics, and 
archiving 


Right to erasure 


Article 17(3)(d) of UK 
GDPR: exception for 
research built into the 
right 


Right to restrict processing 


Schedule 2 Paragraphs 
27 and 28 of DPA 2018: 
exemptions for research 
and statistics, and 
archiving 


Right to data portability 


Schedule 2 Paragraph 
28 of DPA 2018: 
exemption for 
archiving* 


Right to object 


Safeguards 


Article 21(6) of UK 
GDPR: exception for 
scientific or historical 
research and statistics 
built into the right; and 


Schedule 2 Paragraphs 
27 and 28 of DPA 2018: 
exemptions for research 
and statistics, and 
archiving** 


Article 89 of the UK 
GDPR; Section 19 of 
DPA 2018 


*Schedule 2 of the DPA 2018 contains an exemption from the right to data 
portability for archiving purposes in the public interest only. There is no 
exemption from the right to data portability for scientific or historical 


research, or statistics. 


** Article 21(6) contains a built in exception from the right to object to 
processing for scientific or historical research and statistical purposes only. 
However, Schedule 2 Paragraph 28 provides an exemption from the right to 
object when processing for the purposes of archiving in the public interest. 
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What is research related processing? 


At a glance: 


e The research provisions make reference to three types of research 

related purpose: 
o archiving purposes in the public interest; 
o scientific or historical research purposes; and 
o Statistical purposes. 

e You must be able to demonstrate that your processing is necessary for 
one of these research purposes if you wish to make use of the relevant 
provisions. 

e We have developed a set of indicative criteria for each of the three 
types of research. 


In detail: 


e What is research related processing? 
e What is archiving in the public interest? 


e What are some indicative criteria for archiving in the public interest? 
e What is scientific or historical research? 


e What are some indicative criteria for scientific or historical research? 
e What is processing for statistical purposes? 
e What are some indicative criteria for statistical processing? 


What is research related processing? 


Research related processing is processing carried out for any one of the 
following purposes: 


e archiving purposes in the public interest; 
e scientific or historical research purposes; or 
e statistical purposes. 


None of these terms are defined in the legislation, although some additional 
detail is given about them in the introductory recitals to the UK GDPR. 
Recitals are not legally binding, but they are useful for understanding the 
meaning of the articles. 


Relevant provisions in the UK GDPR 


See Recitals 156-163 
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The defining feature of each of these types of research related activities is 
the aim or purpose of your processing. This is key to determining whether 
your processing is covered by the research provisions. We have developed 
descriptions of the aim and purposes of each of the types of research related 
processing, which are set out in the sections below. 


When determining whether or not your processing can legitimately make use 
of the research provisions, you should think carefully about whether your 
processing is necessary for achieving one of the research related purposes. 


We have also developed some indicative criteria for each of the three types 
of research related purposes. These are non-exhaustive and are intended to 
show the types of activity that are indicative of each type of research 
purpose. 


These criteria will help you identify which of your processing activities can, 
for the purposes of data protection law, be defined as for research purposes 
and therefore able to make use of the research provisions. You can refer to 
them in your documentation of processing to show that you have considered 
your use of the provisions and are confident they are necessary. 


However, the key feature is the purpose or aim of your processing. You need 
to demonstrate that your processing is necessary to meet the purpose or aim 
of the type of research identified. 


What is archiving in the public interest? 


The purpose of archiving in the public interest is to ensure the permanent 
preservation and usability of records of enduring value for general public 
interest. 


The aim of archiving is to maintain information and provide access to it for 
research purposes over the very long term. However, archives will often 
contain personal data of living, identifiable individuals. 


The UK GDPR and the DPA 2018 recognise that there is a public interest in 
allowing some records containing personal data to be permanently 
preserved, for the long term benefit of society. 


Some archiving in the public interest will be carried out by bodies with a 
specific legal obligation to archive records of enduring value for the general 
public interest, such as the National Archives, National Records of Scotland, 
and the Public Record Office of Northern Ireland. Public bodies such as local 
authorities may also have a public task set out in statute to maintain 
archives of records. 


However, many organisations undertaking archiving in the public interest will 
not be under any statutory obligation to perform that task. Archiving in the 
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public interest may also be carried out by private or third sector 
organisations. 


Archiving in the public interest should be distinguished from the long-term 
retention of records for business or legal purposes. The term archiving is 
sometimes used to refer to the process of sending records to offsite storage, 
or moving data from a live system. However, for the purposes of the 
research provisions, if records are being kept solely for current business or 
legal purposes, and have no potential or confirmed enduring public value, 
then this is not archiving in the public interest. 


The following table sets out examples of when the purpose of processing 
would be considered to be archiving in the public interest, and when it would 
not: 


Archiving in the public interest Not archiving in the public interest 

e Enabling research and e Maintaining records for 
investigations current business needs or 

e Ensuring long term legal purposes 
accountability e Storing records for a specified 

e Preserving personal, limited time period 
community and corporate e Retaining records that have 
identities, memories and no potential or confirmed 
histories enduring value to society 

e Helping to establish and 
maintain rights, obligations 
and precedents 

e Securing records for future 
educational use 


What are some indicative criteria for archiving in the public interest? 


In order to assist you in considering whether your processing is archiving in 
the public interest, we have developed a non-exhaustive list of activities and 
features that are indicative of this kind of processing. Although the key factor 
is the aim or purpose of your processing, you should also be able to 
demonstrate that some of these activities are features of your processing. 


Although you do not need to meet all of these criteria, we would expect you 
to be able to meet more than one. The more of these criteria you can satisfy, 
the more likely it is that your processing meets the definition of archiving in 
the public interest. 


Activities e Acquisition, selection, appraisal 
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e Storage and preservation 

e Arrangement and description 

e Provision of access through inspection and 
publication 


Standards e Compliance with pre-existing archiving policies and 
procedures 

e Involvement of professional archivists 

e Recognition by the national accreditation scheme 


Access e Making records available for public use - either 
immediately or at a future date when records are no 
longer confidential 

e May be entirely open or limited to particular audience 

e May be in response to requests 


Example 


A museum has created an archive of interviews with 
individuals discussing their experiences of settling in the 
United Kingdom after emigrating to the country in the 1950s 
and 1960s. Many of the individuals interviewed are still alive, 
and so the archive contains personal data. 


The archive is free to access, and is maintained to facilitate 
social history research, as well as for educational uses in the 
future. 


The archive is maintained by a trained archivist at the 
museum, and is available for public use. 


The processing of this personal data can be regarded as 
archiving in the public interest. 


Relevant provisions in the legislation 
UK GDPR Recital 158 (external site) 


Further reading - The National Archives 


The National Archives is the official archive and publisher for 
the UK Government and for England and Wales. It has 
published a quide to archiving personal data. 


What is scientific or historical research? 
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Scientific or historical research should be understood broadly. It includes 
research carried out in traditional academic settings, and includes the full 
range of academic research including for example social sciences, humanities 
and the arts. But it can also include research carried out in commercial 
settings, and technological development and demonstration. 


As noted above, in order to determine whether your processing can make 
use of the research provisions, the key feature is the purpose or aim your 
processing aims to achieve. 


The purpose of scientific or historical research is to produce new knowledge 
or to apply existing knowledge in novel ways, often with the aim of benefiting 
the public interest. 


Scientific or historical research aims to: 


e advance the state of the art in a given field or provide innovative 
solutions to human problems; 

e generate new understandings or insights that add to the sum of human 
knowledge in a particular area; or 

e produce findings of general application that can be tested and 
replicated. 


What are some indicative criteria for scientific or historical research? 


We have developed a non-exhaustive list of activities and features that are 
indicative of this kind of processing. Although the key factor is the aim or 
purpose of your processing, you should also be able to demonstrate that 
some of these are features of your processing. 


Although you do not need to meet all of these criteria, we would expect you 
to be able to meet more than one. The more of these criteria you can satisfy, 
the more likely it is that your processing is for scientific or historical research 
purposes. 


Activities e Formulating hypotheses, isolating variables, 
designing experiments 

e Objective observation, measurement of data 

e Peer review 

e Publication of findings 


Standards e Ethics guidance and committee approval 

e Peer review 

e Compliance with rules on carrying out research on 
animals or human participants 

e Compliance with rules on involving the public in 
your research 
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e Supporting diverse and inclusive research 

e Ensuring safeguarding and preventing bullying and 
harassment in the conduct of research 

e Findings do not lead directly to decisions about 
individual subjects (except in the case of approved 
medical research) 


Access e Publication of results, and commitment to sharing 
findings of research 

e Does not need to be Open Access - can be in 
academic journal with paid access 


Example 


A national charity supporting the elderly decides to carry out 
research into how successful the work of community 
volunteer groups were in supporting its service users during 
the national lockdown of 2020. Its aim is to gain a better 
understanding into how well its service users felt supported 
by these groups, and whether this helped lessen social 


isolation. It intends to publish its findings (in an anonymised 
format), and will use them to help inform how it provides 
services, aS well as contribute to debates on national social 
policy in the future. 


The processing of this personal data can be regarded as 
scientific research. 
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Example 


A university establishes a research project to investigate the 
experiences of individuals who emigrated to the United 
Kingdom in the 1950s and 1960s, and to compare the 
differing experiences of individuals from different ethnic 
groups. 


The university’s researchers obtain personal data from the 
archive mentioned in a previous example. 


The processing of this personal data can be regarded as for 
historical research purposes. 


Relevant provisions in the legislation 
UK GDPR Recitals 159 and 160 


Further reading 
The Health Research Authority has produced detailed GDPR 
Guidance for Researchers and Study Coordinators 


UKRI has developed a Good Research Resource Hub which 
contains links to policies, standards and guidance for 
researchers 


What is processing for statistical purposes? 


Processing for statistical purposes is processing where the main objective is 
to generate statistics. It is important to note that not all processing that 
leads to the production of statistical results will count as processing for 
statistical purposes. 


As noted above, in order to determine whether your processing can make 
use of the research provisions, the key feature is the purpose or aim your 
processing aims to achieve. 


Processing for statistical purposes refers only to those activities where the 
primary aim or purpose of the processing is to produce statistical outputs. 
These statistical results may then be used for further purposes, including 
scientific research. 


Processing for statistical purposes may be done by public authorities and 
bodies with a statutory obligation to produce and disseminate official 
statistics, such as the Office for National Statistics. But it is also much 
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broader than this, and it may also be carried out by private or third sector 
organisations. Processing for statistical purposes refers to any operation of 
collection and the processing of personal data necessary for statistical 
surveys or the production of statistical results. 


For processing to be considered to be for statistical purposes the outcome of 
the processing should either: 


e not be used to make decisions or justify measures about individual 
data subjects; or 

e have been rendered anonymous, and therefore no longer be personal 
data. 


You should note that if you hold other information that you could combine 
with the anonymised results, in order to re-identify linked individuals, then 
the results will not be truly anonymised, and will therefore still be personal 
data. This would mean that your processing would not be considered to be 
for statistical purposes - unless the information is not being used to make 
decisions or justify measures about individual data subjects. 


What are some indicative criteria for processing for statistical 
purposes? 


The following is a non-exhaustive list of activities and features that are 
indicative of processing for statistical purposes. Although the key factor is the 
aim or purpose of your processing, you should also be able to demonstrate 
that some of these are features of your processing. 


Although you do not need to meet all of these criteria, we would expect you 
to be able to meet more than one. The more of these criteria you can satisfy, 
the more likely it is that your processing is statistical purposes. 


Activities e Designing surveys 

e Sampling populations 

e Interpreting and analysing data 

e Drawing inferences about populations from samples 

Outputs e Not used to make decisions or justify measures about 
individual data subjects 

e Anonymous data, not personal data 

Standards e Compliance with pre-existing policies and procedures 

e Adherence to relevant codes of conduct and 
regulatory frameworks 
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e Where part of a wider research project, this should 
adhere to recognised standards of research integrity 
- ethics committee approval, peer review 


Example 


A health agency is monitoring rates of covid-19 reinfection. It 
collects personal data of individuals who have tested positive 
for covid-19, including data about previous infections, and uses 
this data to generate statistics about the rates of reinfection. 
This data is then used by other agencies to make policy 
decisions in order to try and reduce reinfection rates in the 
future. 


The results of this processing are anonymous, and therefore do 
not contain any personal data. 


The processing of this personal data can be regarded as for 
statistical purposes. 


Relevant provisions in the legislation 
UK GDPR Recitals 162 


Further reading - The National Archives 


The UK Statistics Authority has produced detailed guidance 
on GDPR and Statistics. 
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Principles and grounds for processing 


At a glance: 


Article 5 of the UK GDPR sets out seven key data protection principles. 
Two of these principles — purpose limitation and storage limitation — 
contain special provisions for research related processing. 

The purpose limitation principle says you can reuse existing personal 
data for research related purposes, as long as you have appropriate 
safeguards in place. Since this is compatible processing you should be 
able to use your original lawful basis, unless your original lawful basis 
was consent. 

The principle of storage limitation says that you can keep personal data 
indefinitely, if you are processing it for one of the research related 
purposes, as long as you have appropriate safeguards in place. 

There is no specific lawful basis for research. Depending on your status 
and context, you are likely to rely on either legitimate interests or 
public task for this type of processing. 

There is a specific condition allowing the use of special category data or 
criminal offence data for research purposes, if this is in the public 
interest and you have appropriate safeguards in place. 


In detail: 


What do the data protection principles say about research? 

What does the purpose limitation principle say about research? 
What does the storage limitation principle say about research? 
What lawful basis should we use when processing personal data for 
research related purposes? 

What about consent? 

What is the research condition for processing special category data? 
What is the research condition for processing criminal offence data? 
What does ‘necessary’ mean? 

When is research related processing ‘in the public interest’? 


What do the data protection principles say about research? 


Article 5 of the UK GDPR sets out seven key data protection principles. 
These principles lie at the heart of the general data protection regime. They 
don’t give hard and fast rules, but rather embody the spirit of the general 
data protection regime - and as such there are very limited exceptions. 
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However two of these principles - purpose limitation and storage limitation - 
contain within them special provisions for research related processing. 


What does the purpose limitation principle say about research? 


Article 5(1)(b) states that personal data shall be: 


Quote 


“collected for specified, explicit and legitimate purposes and 
not further processed in a manner that is incompatible with 
those purposes; further processing for archiving purposes in 


the public interest, scientific or historical research purposes 
or statistical purposes shall, in accordance with Article 89(1), 
not be considered to be incompatible with the initial 
purposes.” 


The purpose limitation principle requires you to be open and honest about 
your reasons for obtaining data, and helps guard against ‘function creep’. In 
general, you can only repurpose data if this isn’t incompatible with your 
original purpose. However, the principle specifically says that you can 
repurpose data for research purposes, as this is automatically considered to 
be a compatible purpose. 


Recital 50 allows that when the new purpose for processing is compatible 
with the original purpose for which the data was initially collected, you do 
not need to a new lawful basis for the new purpose. So if you do want to 
repurpose data for research purposes, you won’t need to identify a new 
lawful basis (unless your original lawful basis was consent). 


But you still need to have appropriate safeguards in place and you do need 
to make sure your processing is otherwise fair and lawful. 


When is a new purpose compatible with our original purpose? 


Article 5(1)(b) of the UK GDPR specifically says that research related 
purposes should be considered to be compatible purposes. 


This means that if you have already collected personal data for one purpose, 
and now want to process it for a new research related purpose, this is 
automatically considered compatible with the original purpose. In most cases, 
you do not need to identify a new lawful basis for this processing. You 
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still need to make sure that your processing is generally fair and lawful, and 
you should update your privacy information to ensure that your processing is 
still transparent. 


Example 


A charity working across the United Kingdom to provide 
support to economically vulnerable families decides to use 
the data it collects for the provision of its services to carry 
out research into the occurrence of malnutrition amongst 
children in different geographical areas and socio-economic 
groups. The aims of this research mean that this processing 


can be classed as ‘scientific research’. The original processing 
was carried out using the legitimate interests lawful basis. 


As the new processing is for scientific research purposes, this 
can be regarded as compatible with the original purpose for 
processing. Therefore the charity doesn’t need to identify a 
new lawful basis for processing. 


However, this does not apply when the personal data was originally collected 
on the basis of consent. Processing on the basis of consent means giving 
individuals real choice and control over how their data is used. This means 
that consent must always be specific and informed. People can only give 
valid consent when they know and understand what you are going to do with 
their data. So further processing data collected on the basis of consent for a 
research related purpose, that the individual did not consent to at the time 
the data was collected, will unfairly undermine the original consent. See 
below for What about consent? 


If you wish to conduct research using data originally collected for a different 
purpose on the basis of consent, you will need to seek fresh consent. 


Example 


If the charity in the previous example originally obtained the 


data of its service users on the basis of consent, it will now 
need to seek fresh consent from them in order to use their 
data to carry out its research. 
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If you are conducting research using data collected from another 
organisation, you are collecting new data rather than repurposing data you 
have already collected. You need to identify your own lawful basis to process 
the data. You can’t just rely on compatibility with the original organisation’s 
purposes. 


If you are using data collected from another organisation, rather than data 
collected directly from the data subject, you should still update your privacy 
information. However, you may not have to provide this information to the 
data subjects, if doing so would prove impossible or involve disproportionate 


effort. See below for What is the exception to the right to be informed? 


Example 


A health research organisation, carrying out research into the 
links between childhood malnutrition and other health 
conditions among certain socio-economic groups, obtains 
data from the charity about its service users. It also obtains 
data from GP practices operating in certain areas. 


The charity obtained the data on the basis of the legitimate 
interests lawful basis, whilst the GP practices rely upon the 


public task lawful basis. 


In both instances, the research organisation will have to 
identify its own lawful basis for processing this data. As it is 
processing special category data it will also have to identify a 
condition for processing under Article 9 of the UK GDPR. It 
will also have to provide privacy information to the data 
subjects, unless this is impossible or would involve 
disproportionate effort. 


You must also have appropriate safequards in place for the rights and 
freedoms of data subjects. 


What does the storage limitation principle say about research? 


Article 5(1)(e) requires that personal data shall be: 
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Quote 


“kept in a form which permits identification of data subjects 
for no longer than is necessary for the purposes for which the 
personal data are processed; personal data may be stored for 
longer periods insofar as the personal data will be processed 


solely for archiving purposes in the public interest, scientific or 
historical research purposes or statistical purposes in 
accordance with Article 89(1) subject to implementation of the 
appropriate technical and organisational measures required by 
this Regulation in order to safeguard the rights and freedoms 
of the data subject...” 


The principle of storage limitation means that even if you collect and use 
personal data fairly and lawfully, you cannot keep it for longer than you 
actually need it. 


Although the general rule is that you cannot hold personal data indefinitely 
just in case it might be useful in future, Article 5(1)(e) provides an exception 
to the principle of storage limitation for research related processing. This 
means that you can keep personal data indefinitely, if you are processing it 
for one of the research related purposes. 


However, this must be your only purpose. If you justify indefinite retention 
on this basis, you cannot later use that data for another purpose - in 
particular for any decisions affecting particular individuals. This does not 
prevent other organisations from accessing public archives, but they must 
ensure their own collection and use of the personal data complies with the 
principles. 


If the data is no longer being processed for any purpose including a research 
related purpose it must be deleted. 


You must have appropriate safeguards in place for the rights and freedoms of 
data subjects. 


Further reading — ICO guidance 


Purpose limitation 
Storage limitation 
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What lawful basis should we use when processing personal data for 
research related purposes? 


The lawful bases for processing are set out in Article 6 of the UK GDPR. You 
must have a lawful basis in order to process personal data. 


The most appropriate lawful basis will depend on your specific purposes and 
the context of the processing. However, in the context of research related 
processing the most appropriate lawful basis is likely to be either: 


e Public task - the processing is necessary for you to perform a task in 
the public interest or for your official functions, and the task or 
function has a clear basis in law; or 

e Legitimate interests - the processing is necessary for your legitimate 
interests, or the interests of a third party, unless there is a good 
reason to protect the individual’s personal data which overrides those 
legitimate interests. 


Which of these applies depends on what type of organisation you are. If you 
are a private or third sector organisation conducting research, the most likely 
lawful basis for your processing will be legitimate interests. However, if you 
are a public authority, such as a university or an NHS organisation, public 
task is likely to be the most appropriate lawful basis. 


Remember that this will only arise if you are collecting new data for research 
purposes, or if you are using data in your research that you have collected 
from another organisation. If you are reusing data for research that you 
originally collected for a different purpose, this is covered by purpose 
compatibility. In that case, you can rely on the existing lawful basis for 
processing. 


Further reading — ICO guidance 


Lawful basis 
Public task 


Legitimate interests 


What about consent? 


If you are conducting a research study using personal data, such as medical 
research or a clinical trial, you will probably be required to obtain consent 
from participants to take part in the trial. Consent is an important ethical 
standard that ensures the autonomy and privacy of participants in research 
studies is protected. 


However, it is important to note that consent to participate in a research 
study is distinct from consent as a lawful basis to process personal data 
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under the UK GDPR. Even if you have a separate ethical or legal obligation to 
get consent from people participating in your research, this should not be 
confused with UK GDPR consent. 


Just because you need to obtain consent from individuals to participate in 
your research study, this does not mean that consent is likely to be the most 
appropriate lawful basis for processing their personal data as part of this 
study. There is no rule that says you have to rely on consent to process 
personal data for scientific research purposes. You may well find that a 
different lawful basis (and a different special category data condition) is more 
appropriate in the circumstances. In fact, in most cases, consent will not be 
the most appropriate lawful basis. 


This is because for consent to be valid under the UK GDPR, the individual 
must be able to withdraw it at any time. There is no exemption to this for 
scientific research. This means that if you are relying on consent as your 

lawful basis and the individual withdraws their consent, you need to stop 

processing their personal data - or anonymise it - straight away. 


If you would not be able to fully action a withdrawal of consent - for example 
because deleting data would undermine the validity of your research and 
effective anonymisation is not possible - then you are not able to rely on 
consent as your lawful basis (or condition for processing special category 
data). Consent is only valid if the individual is able to withdraw it at any 
time. 


Also, consent is not an appropriate lawful basis for processing where there is 
a power imbalance between you and the individual whose personal data you 
are processing. This is particularly likely to be the case if you are a public 
authority. If you are a research institution undertaking a study, there may be 
a power imbalance between you and your participants. In these cases, 
consent may not be freely given, and so cannot be valid. 


Therefore, if you are processing personal data for one of the research related 
purposes, your lawful basis is unlikely to be consent. 


If you do want to rely on consent, the UK GDPR acknowledges that if you are 
collecting personal data for scientific research, you may not be able to fully 
specify your precise purposes in advance. 


If you are seeking consent to process personal data for scientific research, 
this means you don’t need to be as specific as for other purposes. However, 
you should identify the general areas of research, and where possible give 
people granular options to consent only to certain areas of research or parts 
of research projects. 


The only time you might have to get consent under the UK GDPR is if you 
want to reuse data you originally collected on the basis of consent for an 
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entirely different non-research purpose - this is to ensure that you don’t 
unfairly undermine the individual’s original informed choice to share that 
data with you for an unrelated purpose. 


We have produced a lawful basis interactive quidance tool, to give more 
tailored guidance on which lawful basis is likely to be most appropriate for 


your processing activities. 


Further reading - ICO guidance 


Lawful basis for processing 


Consent 

Public task 

Legitimate interests 

Lawful basis interactive guidance tool 


What is the research condition for processing special category data? 
If you are processing special category data, you need to identify both a 
lawful basis for processing and a special category condition for processing in 
compliance with Article 9. 


Special category data is personal data that needs more protection because it 
is sensitive, and is defined as: 


e personal data revealing racial or ethnic origin; 

e personal data revealing political opinions; 

e personal data revealing religious or philosophical beliefs; 
e personal data revealing trade union membership; 

e genetic data; 

e biometric data (where used for identification purposes); 
e data concerning health; 

e data concerning a person’s sex life; or 

e data concerning a person’s sexual orientation. 


The presumption is that this type of data needs to be treated with greater 
care because collecting and using it is more likely to interfere with the 
fundamental rights of an individual. 


You can only process special category data if you can meet one of the 
specific conditions in Article 9 of the UK GDPR. One of these conditions is that 
the processing is necessary for research related purposes. 
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Article 9(2)(j) provides a condition for processing if it is necessary for 
archiving purposes in the public interest, scientific or historical research 
purposes or statistical purposes. 


Schedule 1 paragraph 4 of the DPA 2018 sets out some additional 
requirements for you to rely on this condition. This states that you can 
process special category data for research related purposes if the processing 
is: 


e necessary for that purpose - it must be a reasonable and proportionate 
way of achieving your purpose, and you must not have more data than 
you need; 

e subject to appropriate safeguards for individuals’ rights and freedoms, 
as set out in Article 89(1) of the UK GDPR; 

e not likely to cause substantial damage or substantial distress to an 
individual; 

e not used for measures or decisions about particular individuals, except 
for in the case of approved medical research; and 

e inthe public interest. 
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Example 


The museum archive mentioned in a previous example aims to record 
the experiences of certain ethnic groups who had emigrated to the UK 
in the 1950s and 1960s. The museum will be processing information 
about those individuals’ ethnicity. As such, it will be processing special 
category data and will need to satisfy an Article 9 condition for 
processing. 


Given the focus of the archive, obtaining personal data on the ethnicity 
of individuals is necessary for the museum’s purposes. 


In relation to appropriate safeguards, the museum could consider 
whether it could make the interviews available in its archive in a 
pseudonymised format. 


However, if it decides not to do this, the processing of this data in this 
way would not be likely to cause substantial damage or distress to any 
of the individuals. In addition, the information that it has recorded in 
the archive will not be used to make decisions about any of the 
individuals. 


The aim of the archive is to facilitate social history research, as well as 
providing a resource for future educational uses. Taking this into 
account, the museum can claim that the processing is in the public 
interest. 


Therefore, the museum is able to rely on the condition set out in article 
9(2)(j) - on the basis that the processing is necessary for archiving 
purposes in the public interest. 


Relevant provisions in the legislation 


Relevant provisions in the UK GDPR see Article 9(2)(j) 
Relevant provisions in the Data Protection Act 2018 see 
Schedule 1 Paragraph 4 


Further reading - ICO guidance 


Special category data 


What is the research condition for processing criminal offence data? 
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The UK GDPR gives extra protection to “personal data relating to criminal 
convictions and offences or related security measures”. We refer to this as 
criminal offence data. 


If you are processing criminal offence data, you will need lawful basis for 
processing. In addition, you can only process criminal offence data if: 


e the processing is under the control of official authority; or 
e you meet one of the conditions in Schedule 1 of the DPA 2018. 


If you are processing criminal offence data for research related purposes the 
relevant condition is set out in Schedule 1 condition 4 of the DPA 2018. 


This condition means that you can process criminal offence data for research 
related purposes if the processing: 


e is necessary for that purpose - it must be a reasonable and 
proportionate way of achieving your purpose, and you must not have 
more data than you need; 

e is subject to appropriate safeguards for individuals’ rights and 
freedoms, as set out in Article 89(1) of the UK GDPR; 

e is not likely to cause substantial damage or substantial distress to an 
individual; 

e is not used for measures or decisions about particular individuals, 
except for in the case of approved medical research; and 


e is in the public interest. 


Relevant provisions in the legislation 
UK GDPR see Article 10 
DPA 2018 see Schedule 1 Paragraph 4 


Further reading — ICO guidance 


Criminal offence data 


What does ‘necessary’ mean? 


Use of the research conditions for processing special category and criminal 
offence data depends on you being able to demonstrate that the processing 
is ‘necessary’ for your purpose. 


This does not mean that the processing has to be absolutely essential. 
However, it must be more than just useful or habitual. It must be a targeted 
and proportionate way of achieving that purpose. 
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The conditions do not apply if you can reasonably achieve the same purpose 
by some other less intrusive means. There is a link here to the data 
minimisation principle, which you should consider carefully for special 
category data and criminal offence data. 


It is not enough to argue that processing is necessary because it is part of 
your particular business model, processes or procedures, or because it is 
standard practice. The question is whether the processing of the special 
category or criminal offence data is a targeted and proportionate way of 
achieving your research purposes. 


When is research related processing ‘in the public interest’? 


If you want to rely on the research condition for processing special category 
or criminal offence data, the DPA 2018 states that this processing must be in 
the public interest. 


The legislation does not define the ‘public interest’. However, public interest 
in the context of research should be interpreted broadly to include any clear 
and positive benefit to the public likely to arise from that research. 


The public interest covers a wide range of values and principles relating to 
the public good, or what is in the best interests of society. In making the 
case that your research is in the public interest, it is not enough to point to 
your own private interests. Of course, you can still have a private interest - 
you just need to make sure that you can also point to a wider public benefit. 


Some examples of the form this benefit could take are: 


e improved health and wellbeing outcomes; 

e improved financial or economic outcomes for individuals or the 
collective public; 

e the advancement of academic knowledge in a given field; or 

e the provision of more efficient or more effective products and services 
for the public. 


It is your responsibility to demonstrate that the processing you are proposing 
to undertake is in the public interest. You may want to consider the ‘breadth 
and depth’ of that public benefit: that is, what proportion of the public are 
benefitted by your research processing, and by how much. Something that 
benefits a small number of people by an insignificant amount is unlikely to 
have a strong public interest case. 


However it is possible that processing for the purposes of research which 
benefits only a small number of people, but where the benefit generated is 
significant, can be in the public interest. There may be a public interest in 
something even if it does not benefit the whole of society. For example, there 
may be a strong public interest in something which confers an important 
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benefit on a small subset of the public, so long as it does not also harm 
society’s wider interests. For example, processing for the purposes of 
research into rare but debilitating medical conditions is likely to be in the 
public interest. Similarly, research processing that generated only a modest 
benefit, but to a significantly large number of people, could be in the public 
interest. 


The avoidance of harm to the public will also be a key factor in determining 
whether or not your research is in the public interest. Clearly, if the 
processing causes more harm than benefit, it is unlikely to be in the public 
interest. Additionally, you may not make use of the research provisions, if 
your processing is likely to cause substantial damage or distress. 


Public interest research may be conducted by public sector bodies, or private 
and third sector organisations. The focus is on the processing activity, not on 
the status of your organisation. You don’t have to be a public body, or have 
significant public interest objectives as part of your founding organisational 
goals or mission statement - as long as you can demonstrate that the 
processing itself is in the public interest. 
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Example 


When the health research organisation in a previous example obtains 
data from the charity supporting vulnerable families and from GP 
practices, for its research into links between childhood malnutrition and 
other health conditions, it will have to: 


identify a lawful basis (as it has obtained this data from other 
organisations, rather than directly from the individuals); and 
satisfy an article 9 condition, as it is processing special category 
data. 


If the research organisation is a charity, or private sector organisation, 
the most likely lawful basis will be legitimate interests. However, if it isa 
public authority, such as an NHS organisation or university, it is likely 
that it can rely upon the public task lawful basis. 


Turning to the Article 9 condition for processing, given the nature of the 
research project, the research organisation is able to argue that it is 
necessary to process information about the health of individuals, as well 
as information about their racial or ethnic origin. 


The research organisation does intend to publish its findings. However, 
this will be done in a pseudonymised manner, and none of the 
individuals concerned will be identifiable. 


Because of this, the processing of this data in this way will not be likely 
to cause substantial damage or distress to any of the individuals 
concerned. 


The aim of the research is to gain new understandings of the links 
between childhood malnutrition and other health conditions among 
certain socio-economic groups - to better inform health and social 
policy decisions. It will not be used to make decisions about any of the 
individuals. 


Finally, given the aims of the research the research organisation is able 
to claim that the processing is in the public interest. 


Therefore, the research organisation is able to satisfy the condition set 
out in Article 9(2)(j) - on the basis that the processing is necessary for 
scientific or historical research. 
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Exemptions 


At a glance: 


Individuals have a number of specific rights over their data - including 
rights to be informed, to access, to rectify (correct), to erase, to 
restrict, to port (move), and to object. 

Some of these rights contain built-in exceptions for research. 

For other rights, you may be able to rely on a separate research 
exemption, if giving full effect to the right would undermine your 
research purposes. 

You shouldn’t rely on exceptions or exemptions in a blanket manner. 
You must consider them case by case. 

You should only restrict the exercising of a data subject’s rights if the 
exemption applies and there is a valid reason to apply it. 

If you can give full effect to individual rights without undermining your 
research purposes, you cannot use the exemptions. 


In detail: 


What should we take into account when applying these exemptions? 
What is the exception to the right to be informed? 

What is the exemption from the right of access? 

What is the exemption from the right to rectification? 

What is the exception to the right to erasure? 

What is the exemption from the right to restrict processing? 

What is the archiving exemption from the right to data portability? 
What is the exemption from the right to object? 


What should we take into account when applying these exemptions? 


Articles 13 to 21 of the UK GDPR set out the rights that individuals have over 
how their data is used. 


There are exemptions from most of these rights available for data processed 
for research related purposes. These exemptions may apply to the following 
rights: 


the right to be informed; 
the right of access; 

the right to rectification; 
the right to erasure; 
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e the right to restrict processing; 
e the right to data portability; and 
e the right to object. 


For some of these rights, there is a built-in exception for research. For 
others, there is a separate exemption set out in Schedule 2 of the DPA 2018. 


You should only restrict the exercising of a data subject’s rights if the 
exemption applies and there is a valid reason to apply it. There should be a 
causal link between giving effect to the right and the potential prejudicial 
effect that you have identified. 


You should not apply the research related exemptions in a blanket fashion, 
and only to the extent that the application of the specific right would cause 
the prejudicial effect you have identified. Therefore, the application of the 
exemptions must be necessary and proportionate. You must consider the 
application of the exemptions on a case-by-case basis. 


You should document your reasons for relying on an exemption and must 
make this reasoning available to the ICO if required. 


You must inform the individual without undue delay and within one month of 
receipt of the request about: 


e the reasons why you have refused the request; 
e their right to make a complaint to the ICO; and 
e their ability to seek to enforce this right through the courts. 


The following sections explain how the research related exemptions affect 
each of these rights. 


Relevant provisions in the legislation 


Relevant provisions in the UK GDPR (the exempt provisions) 
- Articles 14(1)-(4), 15(1)-(3), 16, 18(1) and 21 (1) 


(external link) 


Relevant provisions in the Data Protection Act 2018 (the 


exemption) - Schedule 2, Part 6, Paragraph 27 (external 
link) 


What is the exception to the right to be informed? 

The right to be informed covers some of the key transparency requirements 
of the UK GDPR. It is about providing individuals with clear and concise 
information about what you do with their personal data. 
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Articles 13 and 14 of the UK GDPR specify what individuals have the right to 
be informed about. We call this ‘privacy information’. 


However, the UK GDPR recognises that when processing data you have 
obtained from another organisation, rather than directly from the data 
subject, this might be very difficult. 


Article 14(5)(b) provides an exception from the obligations placed on you by 
the right to be informed when you have obtained personal data from a 
source other than the individual, if providing this information: 


e proves impossible or would involve disproportionate effort; or 
e would be likely to render impossible or seriously impair the objectives 
of the processing. 


The UK GDPR recognises that the first of these issues is especially likely to 
arise in the context of research, where you may sometimes carry out 
processing for one of the research related purposes using data that was 
originally obtained a long time ago by a different organisation. 


However, even in this situation, you do not have an automatic exception 
from the requirement to provide privacy information. You must consider 
whether the provision of privacy information would involve disproportionate 
effort. To do this, you must take into account the effort and impact required 
to provide privacy information, and balance this against the potential effect 
on the individual that your use of their data will have on them. 


When assessing whether or not effort would be disproportionate, you should 
consider: 


e the number of data subjects; 
e the age of the data; and 


e any appropriate safeguards you have adopted. 


If you determine that providing privacy information to individuals does 
involve disproportionate effort, you must still publish the privacy information 
(eg on your website), and carry out a Data Protection Impact Assessment 
(DPIA). 


This exception also removes the obligation to provide privacy information, if 
doing so would render impossible or seriously impair the objectives of your 
processing. However, this exception is most likely to apply in investigative 
contexts, when alerting an individual that you are processing their personal 
data would tip them off to the investigation. It is not likely to apply in the 
research context. 
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It is important to note that if you are using data for research purposes that 
you have collected directly from the individual, this exception does not 


apply. 


What is the exemption from the right of access? 


Under Article 15 of the UK GDPR, individuals have the right to obtain a copy 
of their personal data, as well as other supplementary information. This is 
known as the right of access, or subject access. 


However, there are exemptions from the right of access if you are processing 
for research related purposes. These are listed in separate paragraphs of the 
DPA 2018: 


e Schedule 2 Paragraph 27 provides an exemption if you are processing 
personal data for scientific or historical research purposes or statistical 
purposes. 

e Schedule 2 Paragraph 28 provides an exemption if you are processing 
for archiving purposes in the public interest. 


The exemptions only apply: 


e to the extent that providing access to the data would prevent or 
seriously impair the achievement of the purposes for processing; 

e if the processing is subject to appropriate safeguards for individuals’ 
rights and freedoms; 

e if the processing is not likely to cause substantial damage or 
substantial distress to an individual; and 


e if the processing is not used for measures or decisions about particular 
individuals, except for approved medical research. 


Schedule 2 Paragraph 27 sets out a further condition on the exemption for 
scientific or historical research or statistics, which is that research results or 
any resulting statistics are not made available in a way that identifies 
individual data subjects. This condition does not apply to archiving in the 
public interest. 


You must be able to show that giving effect to the right of access would 
prevent or seriously impair your ability to achieve your research purposes. 


You should not apply the exemptions in a blanket fashion, and only to the 
extent that the application of the specific right would cause the prejudicial 
effect you have identified. Therefore, the application of the exemptions must 
be necessary and proportionate. You must consider the application of the 
exemptions on a case-by-case basis. 
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Example 


An individual becomes aware that their health data has been 
passed to an organisation that is processing it for scientific 

research purposes. They make a request to the organisation 
for a copy of all the data the organisation holds about them. 


The individual’s data is part of a relatively small data set, 


and disclosure of the data would not prevent or seriously 
impair the research project. As such, the use of the 
exemption from the right of access is not necessary. 


In these circumstances the exemption does not apply and 
should not be used. The organisation should therefore 
disclose the information it holds. 


What is the exemption from the right to rectification? 


Under Article 16 of the UK GDPR, individuals have the right to have 
inaccurate personal data rectified. When an individual makes a request for 
rectification, you should normally take reasonable steps to satisfy yourself 
that the data is accurate and to rectify the data if necessary. You should take 
into account the arguments and evidence provided by the data subject. 


However, there are exemptions from the right to rectification if you are 
processing for research related processing. These are listed in separate 
paragraphs of the DPA 2018: 


e Schedule 2 Paragraph 27 provides an exemption if you are processing 
personal data for scientific or historical research purposes or statistical 
purposes. 

e Schedule 2 Paragraph 28 provides an exemption if you are processing 
for archiving purposes in the public interest. 


The exemptions only apply: 


e to the extent that rectifying the data would prevent or seriously impair 
the achievement of the purposes for processing; 

e if the processing is subject to appropriate safeguards for individuals’ 
rights and freedoms; 

e if the processing is not likely to cause substantial damage or 
substantial distress to an individual; and 


e if the processing is not used for measures or decisions about particular 
individuals, except for in the case of approved medical research. 
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You must be able to show that giving effect to the right to rectification would 
prevent or seriously impair your ability to achieve your research purposes. 


You should not apply the exemptions in a blanket fashion, and only to the 
extent that the application of the right to rectification would cause the 
prejudicial effect you have identified. Therefore, the application of the 
exemptions must be necessary and proportionate. You must consider the 
application of the exemptions on a case-by-case basis. 


What is the exception to the right to erasure? 


Under Article 17 of the UK GDPR, individuals have the right to have their 
personal data erased. This is also known as the ‘right to be forgotten’. 
However, there is a built-in exception for research. 


Article 17(3)(d) states that if you are processing data for research related 
purposes, the right to erasure does not apply in so far as giving effect to 
the right is likely to render impossible or seriously impair the achievement of 
your research objectives. 
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Example 


A pharmaceutical company is testing a new drug that it 
hopes will be used in future to treat patients with flu. To test 
the drug, the company needs to process the personal data of 
individuals who take part in trials of the drug, including their 
health data. 


Although participants in the drug trial proactively agree to 
take part in the trial, their personal data is processed on the 
basis of legitimate interests. 


During the trial, a participant chooses to withdraw from 
further tests. They make a request to the company to erase 
all of the personal data it holds about them, including their 
health data generated during the trial. 


Complying with this request would undermine the integrity of 
the company’s data set. It would risk skewing the results of 
the study, and would thus render impossible or seriously 
impair the achievement of the company’s research 
objectives. 


In these circumstances the exception from the right to 
erasure would apply. The company is justified in refusing the 
request to erase the individual’s personal data. 


What is the exemption from the right to restrict processing? 


Under Article 18 of the UK GDPR, individuals have the right to restrict the 
processing of their personal data in certain circumstances. This means that 
an individual can limit the way that an organisation uses their data. This is an 
alternative to requesting the erasure of their data. 


However, there are exemptions from the right to restrict processing if you 
are processing for research related processing. These are listed in separate 
paragraphs of the DPA 2018: 


e Schedule 2 Paragraph 27 provides an exemption if you are processing 
personal data for scientific or historical research purposes or statistical 
purposes. 

e Schedule 2 Paragraph 28 provides an exemption if you are processing 
for archiving purposes in the public interest. 


The exemptions only apply: 
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e to the extent that restricting processing would prevent or seriously 
impair the achievement of the purposes for processing; 

e if the processing is subject to appropriate safeguards for individuals’ 
rights and freedoms; 

e if the processing is not likely to cause substantial damage or 
substantial distress to an individual; and 


e if the processing is not used for measures or decisions about particular 
individuals, except for approved medical research. 


You must be able to show that giving effect to the right to restrict processing 
would prevent or seriously impair your ability to achieve your research 
purposes. 


You should not apply the exemptions in a blanket fashion, and only to the 
extent that the application of the right to rectification would cause the 
prejudicial effect you have identified. Therefore, the application of the 
exemptions must be necessary and proportionate. You must consider the 
application of the exemptions on a case-by-case basis. 


What is the archiving exemption from the right to data portability? 


Under Article 20 of the UK GDPR, individuals have the right to receive 
personal data they have provided to a controller in a structured, commonly 
used and machine readable format. It also gives them the right to request 
that a controller transmits this data directly to another controller. 


The right to data portability only applies when: 


e your lawful basis for processing this information is consent or for the 
performance of a contract; and 

e you are carrying out the processing by automated means (ie excluding 
paper files). 


In practice, this right is usually relevant to organisations who are providing a 
service to a customer, to allow that customer to easily port their own data to 
other service providers. It’s much less likely to apply in the context of 
research - especially because research processing is not generally carried 
out on the basis of consent or contract. (See what lawful basis should we use 
when processing personal data for research related purposes?) 


Because the right is unlikely to be relevant in the context of research, this 
means there is no general exemption for research purposes. 


However, Schedule 2 Paragraph 28 of the DPA 2018 provides an exemption 
from the right to data portability if you are processing for archiving purposes 
in the public interest. 

The exemption only applies: 
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e to the extent that upholding the right to data portability would prevent 
or seriously impair the achievement of the purposes for processing; 

e if the processing is subject to appropriate safeguards for individuals’ 
rights and freedoms; 

e if the processing is not likely to cause substantial damage or 
substantial distress to an individual; and 


e if the processing is not used for measures or decisions about particular 
individuals, except for approved medical research. 


There is no equivalent exemption from the right to data portability if you are 
processing for scientific or historical research or statistics. However, this is 
unlikely to be of any practical significance, because for most research related 
processing the right to data portability will not apply. 


What is the exemption from the right to object? 


Under Article 21 of the UK GDPR, individuals have the right to object to the 
processing of their personal data at any time. This right allows individuals to 
ask you to stop processing their personal data, or requires you to justify why 
you need to do so. 


For more information on this right, see our guidance on the Right to Object. 


Where you are processing personal data for scientific or historical research, 
or statistical purposes, the right to object is more restricted. 


Article 21(6) states: 


Quote 

‘Where personal data are processed for scientific or 
historical research purposes or statistical purposes pursuant 
to Article 89(1), the data subject, on grounds relating to his 


or her personal situation, shall have the right to object to 
processing of personal data concerning him or her, unless 
the processing is necessary for the performance of a task 
carried out for reasons of public interest.’ 


Effectively this means that if you are processing data for scientific or 
historical research, or statistical purposes, and have appropriate safequards 
in place the individual only has a right to object if your lawful basis for 
processing is: 


e public task - on the basis that it is necessary for the exercise of official 
authority vested in you, or 
e legitimate interests. 
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It is important to note that the individual does not have a right to object if 
your lawful basis for processing is public task because it is necessary for the 
performance of a task carried out in the public interest. 


Article 21(6) therefore differentiates between the two parts of the public task 
lawful basis (performance of a task carried out in the public interest or in the 
exercise of official authority vested in you). 


This may cause difficulties if you are relying on the public task lawful basis 
for processing, as it may not always be clear whether you are carrying out 
the processing solely as a task in the public interest, or in the exercise of 
official authority. Indeed, it may be difficult to differentiate between the two. 


If you do intend to refuse an objection on the basis that you are carrying out 
research related processing solely for the performance of a public task 
carried out in the public interest you should be clear in your privacy notice 
that you are only carrying out the processing on this basis. 


If someone objects to you processing their personal data, you have an 
obligation to consider their objection and the reasons they give. 


However you can still continue with the processing, if you can demonstrate 
compelling legitimate grounds for the processing which overrides the 
individual’s interests (including any specific circumstances raised in their 
objection). 


Where research complies with the appropriate safeguards set out in Article 
89 of the UK GDPR and Section 19 of the DPA 2018, we would expect that in 
most cases, the legitimate interests in the research would override an 
individual objection. This means that in most cases, you won't actually need 
to rely on the exemption. You can give full effect to the right to object, by 
considering the objection, and then explaining to the data subject why your 
legitimate interests in the research override their objection in the specific 
circumstances. 


However, if you consider that even considering the objection would prevent 
or seriously impair the achievement of your research objectives, you may 
use the research related exemptions. These are listed in separate paragraphs 
in the DPA 2018: 


e Schedule 2 Paragraph 27 provides an exemption if you are processing 
personal data for scientific or historical research purposes or statistical 
purposes. 

e Schedule 2 Paragraph 28 provides an exemption, if you are processing 
for archiving purposes in the public interest. 


The exemptions only apply: 
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e to the extent that upholding the right to object would prevent or 
seriously impair the achievement of the purposes for processing; 

e if the processing is subject to appropriate safeguards for individuals’ 
rights and freedoms; 

e if the processing is not likely to cause substantial damage or 
substantial distress to an individual; and 


e if the processing is not used for measures or decisions about particular 
individuals, except for in the case of approved medical research. 


The onus is on you to demonstrate why even considering the objection would 
prevent or seriously impair your research objectives. This may be difficult to 
do, given that the exemptions should not be applied in a blanket fashion, but 
instead should be applied on a case by case basis. In most situations, 
considering whether or not to apply the exemption in a particular case will 
have the same practical effect as simply considering the objection. 


However, it is feasible that in some contexts, the act of considering 
objections might prevent or seriously impair your research objectives, 
because the volume of objections received means that to consider them all 
would divert limited resources away from your main functions. In this context 
it would still not be acceptable to apply the exemptions in a blanket fashion. 
However, it might be possible to have a general policy that objections are not 
considered, and then consider whether the specific circumstances mean you 
should deviate from the policy in any particular case. 


Given that this situation is unlikely to occur, we consider that in most cases, 
you will not need to apply the exemption from the right to object. It would be 
preferable to consider the objection, and then explain to the data subject 
why your legitimate interests in pursuing the research override the 
circumstances of their objection. 
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What are the appropriate safeguards? 


At a glance: 


e In order to use the research provisions, you need to have appropriate 
safeguards in place to protect the rights and freedoms of the 
individuals whose personal data you are processing. 

e These safeguards take the form of technical and organisational 
measures to ensure respect for the principle of data minimisation. 

e Where possible, you should carry out your research using anonymous 
information. This information is not personal data and data protection 
law does not apply. 

e Where it is not possible to use anonymised data, you should consider 
whether it is possible to pseudonymise the data. Pseudonymous data is 
still personal data and data protection law applies. 

e Use of the research provisions is not permitted if the processing is 
likely to cause substantial damage or substantial distress to a data 
subject. 

e Use of the research provisions is not permitted if the processing is 
carried out for the purposes of measures or decisions with respect to 
particular data subjects, unless the research is approved medical 
research. 


In detail: 


e What does the law say? 

e What is data minimisation? 

e What is pseudonymisation? 

e When is processing likely to cause substantial damage or substantial 
distress? 


e What does ‘not used for measures or decisions about particular 
individuals’ mean? 


What does the law say? 


Article 89 of the UK GDPR says that use of the research provisions is 
dependent on you having appropriate safeguards in place to protect the 
rights and freedoms of the individuals whose personal data you are 
processing. 


These safeguards take the form of technical and organisational measures, in 
particular to ensure respect for the principle of data minimisation. This may 
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involve anonymising or pseudonymising data, where possible for your 
research. 


Section 19 of the DPA 2018 adds to these safeguards by stating that 
research related processing will not satisfy Article 89 if the processing: 


e is likely to cause substantial damage or substantial distress to data 
subjects; or 

e is carried out for the purposes of measures or decisions about 
particular individuals, except in the case of approved medical research. 


What is data minimisation? 
Article 5(1)(c) of the UK GDPR says: 


Quote 


1. Personal data shall be: 


(c) adequate, relevant and limited to what is necessary in 
relation to the purposes for which they are processed 
(data minimisation) 


This means that you should identify the minimum amount of personal data 
you need to fulfil your purpose. You should hold that much information, but 
no more. 


You should first consider whether it is possible to conduct your research 
without using personal data. If it would be possible to carry out your 
research using data that has been anonymised, then processing of personal 
data is not necessary, and therefore you cannot rely on the research 
provisions. 


Anonymous information is not personal data, and data protection law does 
not apply. 


Anonymisation refers to the techniques and approaches that aim to ensure 
the data: 


e does not relate to an identified or identifiable individual, or 
e is rendered anonymous in such a way that individuals are not (or are 
no longer) identifiable. 


However, it may not always be possible to fulfil your research purposes using 
anonymised data. For example, if individual data subjects are being tracked 
in a longitudinal study, then aggregated or anonymous data would make the 
research impossible. 
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What is pseudonymisation? 


Where it is not possible to use anonymised data, you should consider 
whether it is possible to pseudonymise the data. 


Pseudonymisation refers to techniques that replace or remove information 
that identifies an individual. Pseudonymisation means that individuals are not 
identifiable from the dataset itself, but can be identified by referring to other 
information held separately. Pseudonymous data is still personal data and 
data protection law applies. 


You should ensure that anonymisation or pseudonymisation is done at the 
earliest possible opportunity, ideally prior to using the data for research 
purposes. 


The ICO is currently working on new guidance on 
anonymisation, pseudonymisation and privacy enhancing 
technologies. Links to this guidance will be added here when 
it is published. 


Further reading - ICO guidance 


Data minimisation 


Security 

Data protection by design and default 

Data Protection Impact Assessments 

Link to anonymisation/pseudonymisation guidance when 
published 


When is processing likely to cause substantial damage or substantial 
distress? 


Section 19(2) of the DPA 2018 says that use of the research provisions is not 
permitted if the processing is likely to cause substantial damage or 
substantial distress to a data subject. 


The legislation does not define what is meant by substantial damage or 
substantial distress. 


However, in most cases: 


e substantial damage would include both material and non-material 
harms, such as financial loss, economic or social disadvantage, 
physical harm, damage to reputation, loss of confidentiality, or 
deprivation of rights; and 
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e substantial distress would be a level of upset, emotional or mental 
pain, that goes beyond annoyance, irritation, strong dislike, or a 
feeling that the processing is morally abhorrent. 


What does ‘not used for measures or decisions about particular 
individuals’ mean? 


Most research will have some influence on how measures and decisions are 
taken in future, by generating new insights that inform policy-making, or 
producing new techniques and processes that change how services are 
offered. These are legitimate objectives for research to pursue, and 
processing which aims to change how measures and decisions are taken in 
future will often be able to rely on the research provisions. 


However, Section 19(3) of the DPA 2018 says that use of the research 
provisions is not permitted if the processing is carried out for the purposes of 
measures or decisions with respect to particular data subjects, unless the 
research is approved medical research. What this means is that you cannot 
rely on the research provisions if you are intending to use that data, and the 
results of your research, to make specific decisions about the data subjects 
involved, or to inform the services you provide to them. 


It also means that once you have relied on the research provisions to justify 
retaining data past your normal operational retention periods, you can’t later 
decide to reuse that data for the purposes of making decisions about the 
data subjects involved. Research must be the sole purpose the data is now 
used for. 


The only exception to this is in the case of approved medical research. 
Approved medical research means medical research that has been approved 
by a research committee recognised or established by the Health Research 
Authority, or by another body for the purpose of assessing the ethics of 
research involving individuals, appointed by any of the following: 


e the Secretary of State, the Scottish Ministers, the Welsh Ministers, or a 
Northern Ireland Department; 

e in England, an NHS trust or NHS foundation trust; 

e in Wales, an NHS trust or Local Health Board; 

e in Scotland, a Health Board, Special Health Board, or the Common 
Services Agency for the Scottish Health Service; 

e in Northern Ireland, a Health and Care social body as defined by 
Section 1(5) paragraphs (a) to (e) of the Health and Social Care 
(Reform) Act (Northern Ireland) 2009; 

e United Kingdom Research and Innovation or one of the Research 
Councils; or 
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e aresearch institution as defined by Chapter 4A of Part 7 of the Income 
Tax (Earnings and Pensions) Act 2003. 


Relevant provisions in the Data Protection Act 2018 - 
Section 19(3) (external link) 
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